Kostya,
Please excuse me for providing my amateur-ish thoughts about this.
I was reading that news a few hours ago, and was thinking about it.
I have very mixed feelings. I immediately understood that most likely it would affect (break) Aquamail, which was unpleasant. So, I understand your reaction.
My other thought was that Google is making sure people are entering
all their google accounts into the device, so that it is easier for Google to cross-track multiple accounts.
As for people's reaction and sentiments, I think it is all about who (and how) people trust.
Some (many?) people trust Google unconditionally and without limits. (I've always been surprised by that.) So, [at least] for [some of] them, OAUTH is the way to authenticate with Google in the apps without giving the app their credentials. I might be wrong, but I think their are grossly misguided: that is a false "security". Either you trust an app (taking into account the permissions it has, especially on pre-5.x Android where you have no selection of the permissions you allow or don't allow), and then you install it, or you don't trust it, and you shouldn't install it at all.
E.g. if the app has "access to accounts on the device", my understanding that it can do a bunch of things on behalf of those accounts (is this right?), - even those that it didn't create in the first place.
If the app can "draw over the screen/other apps", it can easily spoof other apps' dialogues, and snatch authentication credentials.
So, the argument that an app can, in principle, intercept the web-view-based window is probably correct (?), but that app is likely able to do other malicious things.
In my opinion, the overall security design in Android is broken, where users have to allow the apps "all [what is requested] or nothing". It would've been ok in 90's. But today, I would think a much more secure design would be to run apps in their own "jails"/"sandboxes". I understand that it would've made coding apps (and Android itself) more difficult. But it would've improved the security of the devices that we trust with our
private communication, banking, etc. But I digress.